Ruleset Update Summary - 2025/04/14 - v10904

rulesbot · April 14, 2025, 8:18pm

Summary:

76 new OPEN, 90 new PRO (76 + 14)

Thanks @naumovax

Added rules:

Open:

2061509 - ET INFO DYNAMIC_DNS Query to a *.inoa .cl domain (info.rules)
2061510 - ET INFO DYNAMIC_DNS HTTP Request to a *.inoa .cl domain (info.rules)
2061511 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aquesolp .run) (malware.rules)
2061512 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (aquesolp .run) in TLS SNI (malware.rules)
2061513 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (astroset .top) (malware.rules)
2061514 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (astroset .top) in TLS SNI (malware.rules)
2061515 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (jawdedmirror .run) (malware.rules)
2061516 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (jawdedmirror .run) in TLS SNI (malware.rules)
2061517 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (legislatiu .cfd) (malware.rules)
2061518 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (legislatiu .cfd) in TLS SNI (malware.rules)
2061519 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lonfgshadow .live) (malware.rules)
2061520 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lonfgshadow .live) in TLS SNI (malware.rules)
2061521 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nighetwhisper .top) (malware.rules)
2061522 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (nighetwhisper .top) in TLS SNI (malware.rules)
2061523 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (owlflright .digital) (malware.rules)
2061524 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (owlflright .digital) in TLS SNI (malware.rules)
2061525 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pastoralkyu .click) (malware.rules)
2061526 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pastoralkyu .click) in TLS SNI (malware.rules)
2061527 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (qualityow .store) (malware.rules)
2061528 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (qualityow .store) in TLS SNI (malware.rules)
2061529 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vqaliantheart .live) (malware.rules)
2061530 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vqaliantheart .live) in TLS SNI (malware.rules)
2061531 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (*.digital-odyssey .shop) (malware.rules)
2061532 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (*.digital-odyssey .shop) in TLS SNI (malware.rules)
2061533 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dryguitttaow .shop) (malware.rules)
2061534 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dryguitttaow .shop) in TLS SNI (malware.rules)
2061535 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (*.culture-quest .shop) (malware.rules)
2061536 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (*.culture-quest .shop) in TLS SNI (malware.rules)
2061537 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fairycity .shop) (malware.rules)
2061538 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fairycity .shop) in TLS SNI (malware.rules)
2061539 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (throaatyinpak .site) (malware.rules)
2061540 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (throaatyinpak .site) in TLS SNI (malware.rules)
2061541 - ET WEB_SPECIFIC_APPS Fortinet FortiSwitch Unauthenticated Unverified Password Change (CVE-2024-48887) (web_specific_apps.rules)
2061542 - ET MALWARE DuvetStealer C2 (send-zip) Traffic Outbound (malware.rules)
2061543 - ET MALWARE DuvetStealer C2 (send-token) Traffic Outbound (malware.rules)
2061544 - ET MALWARE DuvetStealer Related Domain (duvetstealer .com) in DNS Lookup (malware.rules)
2061545 - ET MALWARE Specter Insight Beacon CnC Domain in DNS Lookup (identity-shield .org) (malware.rules)
2061546 - ET MALWARE Observed Specter Insight Beacon Domain (identity-shield .org) in TLS SNI (malware.rules)
2061547 - ET WEB_SERVER SonicWall SRA Post-Auth viewcert CGI Command Injection (CVE-2016-9684) (web_server.rules)
2061548 - ET WEB_SERVER SonicWall SRA diagnostics CGI Command Injection (CVE-2016-9682) M1 (web_server.rules)
2061549 - ET WEB_SERVER SonicWall SRA diagnostics CGI Command Injection (CVE-2016-9682) M2 (web_server.rules)
2061550 - ET WEB_SERVER SonicWall SRA Post-Auth gencsr CGI Command Injection (web_server.rules)
2061551 - ET MALWARE Specter Insight Beacon CnC Checkin M2 (malware.rules)
2061552 - ET MALWARE Specter Insight Beacon CnC Checkin M3 (malware.rules)
2061553 - ET WEB_SPECIFIC_APPS D-Link DI-8100 auth.asp callback Parameter Buffer Overflow Attempt (CVE-2025-3538) (web_specific_apps.rules)
2061554 - ET WEB_SERVER SonicWall SMA Unauthenticated sonicfiles Confused Deputy (CVE-2021-20042) (web_server.rules)
2061555 - ET INFO DYNAMIC_DNS Query to a *.kazoodle .com domain (info.rules)
2061556 - ET INFO DYNAMIC_DNS HTTP Request to a *.kazoodle .com domain (info.rules)
2061557 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (timerlesssaga .run) (malware.rules)
2061558 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (timerlesssaga .run) in TLS SNI (malware.rules)
2061559 - ET WEB_SERVER SonicWall SMA Unauthenticated sonicfiles CPU Exhaustion (CVE-2021-20041) (web_server.rules)
2061560 - ET MALWARE BlankGrabber New Victim Checkin/Exfil (POST) (malware.rules)
2061561 - ET MALWARE DeerStealer CnC Domain in DNS Lookup (foggy-doggy .site) (malware.rules)
2061562 - ET MALWARE DeerStealer CnC Domain in DNS Lookup (velvet5nssrv .shop) (malware.rules)
2061563 - ET MALWARE DeerStealer CnC Domain in DNS Lookup (cdn-upload-files .buzz) (malware.rules)
2061564 - ET MALWARE DeerStealer CnC Domain in DNS Lookup (buildit-right .buzz) (malware.rules)
2061565 - ET MALWARE DeerStealer CnC Domain in DNS Lookup (go-cars-cheaprest .cfd) (malware.rules)
2061566 - ET MALWARE DeerStealer CnC Domain in DNS Lookup (world-of-guides .buzz) (malware.rules)
2061567 - ET MALWARE DeerStealer CnC Domain in DNS Lookup (sonorous-horizon-cfd .cfd) (malware.rules)
2061568 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (iqronrose .top) (malware.rules)
2061569 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (iqronrose .top in TLS SNI) (malware.rules)
2061570 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thiefbshadow .run) (malware.rules)
2061571 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (thiefbshadow .run in TLS SNI) (malware.rules)
2061572 - ET MALWARE Observed DeerStealer Domain (foggy-doggy .site) in TLS SNI (malware.rules)
2061573 - ET MALWARE Observed DeerStealer Domain (velvet5nssrv .shop) in TLS SNI (malware.rules)
2061574 - ET MALWARE Observed DeerStealer Domain (cdn-upload-files .buzz) in TLS SNI (malware.rules)
2061575 - ET MALWARE Observed DeerStealer Domain (buildit-right .buzz) in TLS SNI (malware.rules)
2061576 - ET MALWARE Observed DeerStealer Domain (go-cars-cheaprest .cfd) in TLS SNI (malware.rules)
2061577 - ET MALWARE Observed DeerStealer Domain (world-of-guides .buzz) in TLS SNI (malware.rules)
2061578 - ET MALWARE Observed DeerStealer Domain (sonorous-horizon-cfd .cfd) in TLS SNI (malware.rules)
2061579 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (jagsrus .com) (exploit_kit.rules)
2061580 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (jagsrus .com) (exploit_kit.rules)
2061581 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (uochut .shop) (exploit_kit.rules)
2061582 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (uochut .shop) (exploit_kit.rules)
2061583 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (www .chamberscertifiedbookkeeping .com) (malware.rules)
2061584 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (www .chamberscertifiedbookkeeping .com) (malware.rules)

Pro:

2861125 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2861126 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2861127 - ETPRO MALWARE Observed Malicious SSL/TLS Certificate (DCRAT) (malware.rules)
2861128 - ETPRO MALWARE Observed Malicious SSL/TLS Certificate (DCRAT Loader Panel) (malware.rules)
2861129 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2861130 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2861131 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2861132 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2861133 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2861134 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2861135 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2861136 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2861137 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
2861138 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2025/05/05 - v10920 Ruleset Updates	61	May 5, 2025
Ruleset Update Summary - 2024/11/12 - v10740 Ruleset Updates	123	November 12, 2024
Ruleset Update Summary - 2024/11/29 - v10761 Ruleset Updates	43	November 29, 2024
Ruleset Update Summary - 2024/11/15 - v10743 Ruleset Updates	133	November 15, 2024
Ruleset Update Summary - 2025/05/01 - v10918 Ruleset Updates	62	May 1, 2025

Ruleset Update Summary - 2025/04/14 - v10904

Summary:

Added rules:

Open:

Pro:

Related topics